Author Topic: JDSU / VIAVI JD745B, JD785A, JD785B - A firmware investigation  (Read 1482 times)

0 Members and 1 Guest are viewing this topic.

Offline FlexibleMammothTopic starter

  • Regular Contributor
  • *
  • Posts: 64
  • Country: de
JDSU / VIAVI JD745B, JD785A, JD785B - A firmware investigation
« on: September 11, 2023, 10:15:25 pm »
After looking for a nice, compact spectrum analyzer / vector network analyzer for my home lab, I recently pulled the trigger on a used JDSU / VIAVI JD785A.

I previously had a look at the existing JD745A threads and found that they provide easy root login by running a script as root from a USB stick. Unfortunately, the newer JD745B, JD785A, JD785B models share a firmware that no longer exhibits this behavior. Instead, there is a binary recovery OS that allows to install another, binary, firmware file.

The recovery consists of the files Recovery and Recovery_lk2, which appear to be the same, and a system.dat containing the emergency OS. As for the Firmware itself, it has some version information at the beginning and the rest appears to be compressed or encrypted, but other than that, there is no indication on its composition.

Has anyone been lucky in obtaining root, or information on the firmware structure?

Thanks :)
 

Offline zrq

  • Frequent Contributor
  • **
  • Posts: 273
  • Country: 00
Re: JDSU / VIAVI JD745B, JD785A, JD785B - A firmware investigation
« Reply #1 on: January 21, 2024, 11:21:49 am »
I'm also interested in acquiring such a JDSU device as a portable VNA, so I poked into theirs firmware. Apparently the .FW firmware image is not encrypted at all, but is simply in gzip format with a modified header. The original header is replaced by a string that is checked in the update process, and the correct gzip header is at the bottom of the image file. You can load the unstripped Recovery ELF to GHIDRA and check it out yourself.

So that if one want to explore what's in the image, one can load the .FW in a hex editor, move (copy and delete) the last 30 bytes to the head of the file (overwriting), and then it can be uncompressed by a tool that you prefer (like 7zip).

One possible approach to gain root is modify the scripts in the firmware image and craft a new .FW file, I didn't see any signature check so I think it should be possible, just need a brave guy with hardware to try this out...
 

Offline zrq

  • Frequent Contributor
  • **
  • Posts: 273
  • Country: 00
Re: JDSU / VIAVI JD745B, JD785A, JD785B - A firmware investigation
« Reply #2 on: February 11, 2024, 02:10:25 pm »
There is a root password hash in LKII_FW_3.120.043-rd946d9a.FW\UpgradePackageTree\app.tar.gz\app.tar\app\script\run_FW_1.sh
Code: [Select]
sed -i 's|root::0:0:root:/root:/bin/bash|root:$1$qwixm66f$W/YVCVn5OcusO4ppJnChl0:0:0:root:/root:/bin/bash|' /etc/passwd
I don't know if the system have the dropbear listening by default (before my JD785A arrive), but I have started hashcating... It would be nice if someone else can join as I don't have discrete graphics cards.
 

Offline zrq

  • Frequent Contributor
  • **
  • Posts: 273
  • Country: 00
Re: JDSU / VIAVI JD745B, JD785A, JD785B - A firmware investigation
« Reply #3 on: February 11, 2024, 04:23:07 pm »
FTP password:
Code: [Select]
CellAdvisorMobile mu%=%3Yr@DSN
ca4g 0000

Unfortunately if the developers used a similarly complex password for the root account, then hashcat will not be able to find it.
« Last Edit: February 11, 2024, 04:31:35 pm by zrq »
 

Offline zrq

  • Frequent Contributor
  • **
  • Posts: 273
  • Country: 00
Re: JDSU / VIAVI JD745B, JD785A, JD785B - A firmware investigation
« Reply #4 on: February 14, 2024, 01:12:52 pm »
There is a root password hash in LKII_FW_3.120.043-rd946d9a.FW\UpgradePackageTree\app.tar.gz\app.tar\app\script\run_FW_1.sh
Code: [Select]
sed -i 's|root::0:0:root:/root:/bin/bash|root:$1$qwixm66f$W/YVCVn5OcusO4ppJnChl0:0:0:root:/root:/bin/bash|' /etc/passwd
I don't know if the system have the dropbear listening by default (before my JD785A arrive), but I have started hashcating... It would be nice if someone else can join as I don't have discrete graphics cards.

Easier than expected:
$1$qwixm66f$W/YVCVn5OcusO4ppJnChl0:SiG2018

Session..........: hashcat
Status...........: Cracked
 
The following users thanked this post: ddrl46, nctnico, giovannirat, ch_scr

Offline zrq

  • Frequent Contributor
  • **
  • Posts: 273
  • Country: 00
Re: JDSU / VIAVI JD745B, JD785A, JD785B - A firmware investigation
« Reply #5 on: February 17, 2024, 08:54:36 pm »
It seems the 007 Higher power CW generator option on JD785A is purely software controlled and can be hacked rather easily. However, I was hoping for the Bias-T but no luck, apparently that one needs extra hardware.
« Last Edit: February 17, 2024, 08:56:19 pm by zrq »
 

Offline giovannirat

  • Regular Contributor
  • *
  • Posts: 107
  • Country: at
Re: JDSU / VIAVI JD745B, JD785A, JD785B - A firmware investigation
« Reply #6 on: February 18, 2024, 07:10:37 pm »
I own a JD785A and appreciate your great work on the firmware.

Quote
It seems the 007 Higher power CW generator option on JD785A is purely software controlled and can be hacked rather easily

It would be really nice if you could tell us how to hack some possible option on this device.

Thank you very much!
 

Offline zrq

  • Frequent Contributor
  • **
  • Posts: 273
  • Country: 00
Re: JDSU / VIAVI JD745B, JD785A, JD785B - A firmware investigation
« Reply #7 on: February 29, 2024, 11:43:50 am »
I own a JD785A and appreciate your great work on the firmware.

Quote
It seems the 007 Higher power CW generator option on JD785A is purely software controlled and can be hacked rather easily

It would be really nice if you could tell us how to hack some possible option on this device.

Thank you very much!

I have no plan at the moment to share the keygen as the analyzer is still in support and I want to stay away from the potential trouble but maybe in 10 years. However, the algorithm is quite simple, no asymmetrical cryptography but just a multiplication and a table lookup. The LK2 main binary is not stripped so it should be easy for one with basic reverse engineering skills to make a keygen.

However one should not expect too much from the CW generator it have, the harmonics, non-harmonics, and phase noise are all terrible. I'll attach some result later.
 
The following users thanked this post: giovannirat

Offline zrq

  • Frequent Contributor
  • **
  • Posts: 273
  • Country: 00
Re: JDSU / VIAVI JD745B, JD785A, JD785B - A firmware investigation
« Reply #8 on: March 15, 2024, 02:07:26 pm »
Quote
However one should not expect too much from the CW generator it have, the harmonics, non-harmonics, and phase noise are all terrible. I'll attach some result later.
 
The following users thanked this post: ch_scr


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf